System and methods for secure utilization of attestation in policy-based decision making for mobile device management and security
Abstract
Policy-based client-server systems and methods for attestation in managing and securing mobile computing devices. Attestation provides the means to make efficient, secure, and reproducible use of knowledge possessed by trusted expert parties and authorities within the expression and enforcement of policies for controlling use of, and access to, onboard software and hardware, network capabilities, and remote assets and services. Aspects of secure attestation of applications that use shared and dynamically loaded libraries are presented, as well as potential business models for attestation used in such a policy-based system. The system of the present invention resolves attestation record conflicts using digital certificates and digital signatures.
Claims
exact text as granted — not AI-modifiedWhat is claimed is:
1. A system to manage and secure computing devices by adjudicated resource decisions comprising:
a secured policy-based control system having a processor to compute adjudicated resource decisions based on a resource identifier, at least one associated attestation record, and secure, policy-driven conditions for permitted operations on the identified resource, configured to resolve conflicts between attestation records;
an attestation non-transitory memory coupled to the policy-based control system, to store resource identifiers, associated attestation record and secure, policy-driven conditions for permitted operations on the identified resource;
a first interface to receive requests for adjudicated resource decisions from computing devices;
a second interface to retrieve the resource identifier associated with the subject resource decision, where the requesting computing device has no access to the policy-driven conditions used in the adjudication, to retrieve the attestation record associated with the resource identifier and to retrieve the secure, policy-driven conditions for permitted operations on the identified resource from the attestation non-transitory memory;
a third interface to transmit the resource identifier, associated attestation record and secure, policy-driven conditions for permitted operations on the identified resource to the policy-based control system; and
a fourth interface, coupled to the policy-based control system to retrieve and to transmit the adjudicated resource decisions to the computing devices.
2. The system of claim 1 , wherein attestation record conflicts are resolved using digital certificates and digital signatures.
3. The system of claim 1 wherein attestation conflicts are resolved by applying a directed acyclic graph (DAG) of attesters.
4. A method to manage and secure computing devices by adjudicated resource decisions based on policy-driven condition for permitted operations, the method comprising the steps of:
receiving a request for adjudication of a resource decision from a computing device where the requesting computing device has no access to the policy-driven conditions for permitted operations;
receiving a resource identifier, associated attestation records and secure, policy-driven permitted operations on the identified resource;
resolving any conflict between associated attestation records;
storing the resource identifier, associated attestation records, and secure, policy-driven permitted operations on the identified resource in a non-transitory memory;
transmitting the resource identifier, associated attestation records and secure policy-driven conditions for permitted operations on the identified resource to a policy-based control system for adjudication;
computing an adjudicated resource decision based on the resource identifier, associated attestation record and secure, policy-driven conditions for permitted operations on the identified resource; and
transmitting the adjudicated resource decision to a computing device.
5. The method of claim 4 , wherein attestation record conflicts are resolved using digital certificates and digital signatures.
6. The method of claim 4 , wherein conflicts between associated attestation records are resolved by applying a directed acyclic graph (DAG) of attesters.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.